Hi,

I'm trying to build a package for resubmission. However it fails with messages like that

In file included from ./include/UpTools/UpLog.h:77,
                 from UpLog.cc:46:
UpLog.cc: In function 'void upOpenLogFileInternal(const char*, int, const char*, int, int (*)(char*))':
./include/UpTools/UpLog.inl:63:30: error: format not a string literal and no format arguments [-Werror=format-security]
   63 |    syslog(level, __VA_ARGS__ ); \
      |                              ^

End of message

The line in the code is:

n += snprintf(logbuf+n,MAXLOGLINE-1-n, __VA_ARGS__ ); \

And also this warning:

UpLog.cc: In function 'void upOpenLogInternal(const char*, int, int, int)':
./include/UpTools/UpLog.inl:69:11: warning: ignoring return value of 'ssize_t write(int, const void*, size_t)' declared with attribute 'warn_unused_result' [-Wunused-result]
   69 |    ::write(upLogFd,logbuf,n); \
      |    ~~~~~~~^~~~~~~~~~~~~~~~~~
./include/UpTools/UpLog.h:115:26: note: in expansion of macro '_UPLOG_'
  115 | #define UPLOG(level,...) _UPLOG_(level, __VA_ARGS__ )

End of message

The line in the code is :

 if(upLogPerror) ::write(2,logbuf,n); \

Regarding to " format not a string literal and no format arguments [-Werror=format-security]" message.
Afaik instructions of kind printf(format,var1,var2,...) always be fail, since it can't verify in compile time  that the format includes the number of variables that appears later.

If the developer does not use entered formats by the user, the exploit disappear, doesn't it?

So the question is: in this case I can override the Fedora compiler flags?

Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org